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Abstract 

We describe a method to evaluate multivariate polynomials over a 
finite field and discuss its multiplicative complexity. 
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1 Introduction 

> . 

■ Many applications require the evaluation of multivariate polynomials over 

! finite fields. For instance, the so called affine codes (also called evaluation 

CN I or functional or algebraic geometry codes) are obtained evaluating a finite- 

' dimensional linear subspace of Fq[xi, . . . ,Xr ] at a finite set S* C ([2], [4], 

, [5] and several other papers). When the degree n of the polynomials is 

small, and/or the number r of variables is also small the direct computation 
is efficient, however as n, or r, or both become large, evaluation becomes an 
issue. The case of univariate polynomials was considered by several authors, 
r> I see e.g [10], [9] and some recent papers ([H], [I]). In this paper we propose an 

' evaluation method for multivariate polynomials which reduces significantly 

the multiplicative complexity and hence the computational burden. 
Set Mr{n) = ("+''), and let p{xi,...,Xr) be a polynomial of degree n in 
r variables with coefficients in a finite field ¥ps; the number of monomi- 
als occurring in p{xi, . . . , Xr) is Mr{n). We will consider the evaluation of 
p{xi, . . . , Xr) at a point a = (ai,...,ar) G Fpm, where m is divisible by 
s. A direct evaluation of . . . ,ar) is obtained from the evaluation of 
the Mr{n) distinct monomials, a task requiring Mr{n) — r — 1 multiplica- 
tions. Therefore we perform Mr{n) — 1 multiplications, and a total number 
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Ar{n) = Mr{n) — 1 of additions. The total number of required multiplica- 
tions is 



Pr{n) = 2Mr{n) - r - 2 = 2— + 



r + 1 



r-l 



H 1 - r 



r! (r-l)! 



n 



however different computing strategies can require a significant smaller num- 
ber of multiplications. To the aim of developing some of these strategies, 
the polynomial p{xi, . . . , Xr) is written as a sum 



of s polynomials, where each q polynomial of degree n in r 

variables with coefficients in the prime field Fp, the value p{ai, . . . , ar) can 
be obtained from the s values qi{ai, . . . , a^), 2s — 2 multiplications, and s 
additions in F^™ . In these computations f3 and its powers constitute a basis 
of ¥pm . Therefore, we may restrict our attention to the evaluation at a point 
a G Fpm of a polynomial q{xi, . . . , Xr), in r variables, of degree n over ¥p. 

As pointed out in [Ij, §2.1, the prime 2 is particularly interesting because of 
its occurrence in many practical applications, for example in error correction 
coding. Furthermore, in F2 multiplications are trivial. Therefore, we give 
first a description of our method in the easiest case, that is, over F2 and 
with two variables. Later, we generalize to any setting. 

2 Our computational model 

There are two kinds of multiplications that are involved in our computations: 
field multiplications in the coefficient field ¥ps and in extension field F^m. 
We assign cost 1 to any of these, except for the multiplications by or 1, 
that cost in our model. 

Remark 1. There can be multiplications that cost much less, such as squares 
in characteristic 2, but we still treat them as cost 1. 

As customary, we assign cost to any data reading. 

We could count separately field sums, but our aim is to minimize the 
number of field multiplications, and so we use as implicit upper bound for 
the number of sums the value 2Mj.{n), that is, twice the number of all 
monomials. We will not discuss of the number of sums any further. 
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We assume that an ordering on monomials is chosen once and for all, 
e.g. the degree lexicographical ordering (see |8j), so that our input data 
can be modeled as an ¥ps string, any entry corresponding to a polynomial 
coefficient. 

Remark 2. A well- established method to evaluate all monomials up to de- 
gree n at a given point is to start from degree-1 monomials and then iterate 
from degree-r monomials to degree-r + 1 monomials, since the computations 
of any degree-r +1 monomial requires only one multiplication, once you have 
in memory all degree-r monomials. 

We remark here that our algorithm accepts as input any polynomial of 
a given total degree and so our estimates are worst-case complexity, which 
translates in considering dense polynomials. Clearly, other faster methods 
could be derived for special classes of polynomials, such as sparse polyno- 
mials or polynomials with a predetermined algebraic structure. 

We will not discuss the memory requirement of our methods, but one 
can see easily by inspecting the following algorithms that it is negligible 
compared to their computational effort. 

3 The case r = 2, p = 2 

A polynomial P{x, y) of degree n in 2 variables over the binary field may be 
decomposed into a sum of 4 polynomials as 

P{x,y) = Po,o{x^,y^) + xPifi{x^,y^) + yPo,i{x'^,y'^) + xyPi,i{x'^,y^) 
= Poflix,yf +xPiflix,yf +yPo,iix,yf +xyPi^i{x,yf. (2) 

where Pij{x,y) are polynomials of degree [ "~^~-' J . Therefore the value 
of P{x,y) in the point a = (01,02) G I^i™ ^™ tie obtained by comput- 
ing the 4 numbers Pij{ai,a2), the monomial 0102, performing 3 products 
aiPifi{ai,a2), 02^0,1(0^!) 0^2)1 and aia2-Pi,i(ai) «2)) and finally performing 
3 additions. We observe that all Pij^s have the same possible monomials, 
i.e. all monomials of degree up to [^\ . There is no need to store separately 
Po,Ot Po,1t Pifi, Pi,ij because the selection of any of these is obtained by a 
trivial indexing rule. The polynomials Pjj(ai, 02) can be evaluated as sums 
of such monomials, which can be evaluated once for all. Therefore, P{ai, 02) 
is obtained performing (see Remark [2]) a total number of 
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multiplications, a figure considerably less than ^ as required by the direct 
computation. However, the mechanism can be iterated, and the point is to 
find the number of steps yielding the maximum gain, that is to find the most 
convenient degree of the polynomials that should be directly evaluated. We 
have the following: 

Theorem 1. Let P{x,y) be a polynomial of degree n over ¥2, its evaluation 
at a point (ai, 02) € F^m performed by applying repeatedly the decomposition 
(0^, requires a number G 2 {n, 2, L opt) of products which asymptotically is 

[7 

G2{n,2,Lopt) ^ cJ -n c<5 

where Lopt, the number of iterations yielding the minimum of G2{n,2, L), is 
an integer included into the interval 




n) + € < Lop < log4( 




where e and e' are less than 1 and O(^). 



Proof. The polynomial P{x^ y) is decomposed into the sum of 4 poly- 
nomials that are perfect squares over F2, each of which is the similarly 
decomposed. Let P^^j'^\x,y) denote the polynomials at the L-step of this 
iterative process, with h varying from 1 to 4^^^. The number of polyno- 
mials after L steps is 4^, while their degrees are not greater than [^J. 
The value P{ai,a2) is obtained performing backward the reconstruction 
process obtaining at each step the values ^''^^ (01,02) from the val- 
ues Pl^-^\ai,a2), whereas the 4^ numbers p/^''^''(ai, 02), i,j G {0,1} and 
/i = 0, . . . , 4^~^ , are computed from the direct evaluation of M2 ( [^J ) mono- 
mials using M2([^J) — 3 multiplications. 

Therefore the total number of multiplications necessary to obtain P{ai , 02) 
is a sum of M2 ( [^J ) - 3 with 

- the number of squares 

1(4^ - 1) = [4^ + 4-^-1 + • • • + 4-^-^+1] 
3 

- the number of multiplications of kind x'''y^ Pij{ai, 02) 

4^ - 1 = 3[4^"^ + 4^"^ + • • • + 4^-^] 
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that is the total number is: 

The number of products required to evaluate P{ai,a2) in this way is a 
function of L, and the values of L that correspond to local minima are 
specified by the conditions 

G2{n,2,L) <G2{n,2,L - I) and G2(n, 2, L) < G2(n, 2, L + 1) , 

from which, it is straightforward to obtain the conditions 

4^ - f s < wfil + - 2{|?}) - - m') + f ({i^} - m) 

where {x} denotes the fractional part of x. These inequalities show that 
there is only one minimum that corresponds to a value of L such that 

1 /6 /6 

-2 + log4(Y 7^n) + e< Lop < log4(y -)n + e' , 

where e and e' are 0(-^). Therefore, the minimum value of G2{n,2, L) is 
asymptotically 

G2{n,2,Lop) ^ c^^n 
where c is a constant less than 5. 

□ 

Remark 3. In the computations of our bounds we essentially compute sepa- 
rately each monomial. Hence our approach seems to be very efficient for the 
computation of several polynomials at the same point. This fact is exploited 
in the computation of the required number of multiplications when the poly- 
nomial coefficients are in ¥20 . An application of equation and Theorem 
m would give the asymptotic estimate 
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G2s{n,2,Lop) ^ c\ -ns 



since the evaluation of any qi would cost cy^n. However, the polynomials 
qi{x,y) can be evaluated contemporarily. Therefore, computing the power 
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necessary to evaluate the polynomial at step L only once, this lead to a total 
number or required multiplications 

G2Hn,2,L) = s-(4 - 1) H ^ ^ 3 

because only the reconstruction operations need to be repeated s times. By 
repeating the argument outlined in the proof of Theorem {1\ the conclusion is 
that the optimal value of L depends also on s and asymptotically the required 
value of multiplications is 

V 

4 The case r > 2, p = 2 

The evaluation of a polynomial P{xi, . . . ,Xr) in r variables can be done 
writing P, similarly to equation ([2|), this polynomial as a sum of 2^ polyno- 
mials 



Ci, . . . , Xj. ) 



-P(xi , . . . , Xj.) — ^ ^ X^ ... Xj, P'ii^,, 

il,...,i,.e{0,l} 

= Xi ■ ■ ■ X^^ {Pij^^,,,^i^{xi, . . . , Xr)) , (3) 

ii,...,ve{o,i} 

where -Pii,...,v(xi, . . . ,Xr) is a polynomial of degree " f^^^ . The argument 
of Theorem [1] still applies, and the minimum number of steps is obtained in 
the following theorem. 

Theorem 2. Let Lopt be the number of steps of this method yielding the 
minimum number of products, G2{n,r,Lop), required to evaluate a polyno- 
mial of degree n in r variables, with coefficients in ¥2- Then Lgpt is an 
integer that asymptotically is included into the interval 



1 1 2*^-1 log2 n 11 2*^-1 log2 n 

2 + 2;^ H(2r+i-l)+^- - - 2 + 2;^ r!(2''-+i-l) + ^~ 



that is Lop is the integer closest to ^ log2 + — • Asymptotically 

the minimum G2{n,r, Lop) is included into the interval: 



/^V 2'--l r! -V ' ' -i^. y 2^-1 r! 
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Proof. Using equation ^ the polynomial P{xi, . . . ,Xr) evaluated at the 
point a = (qi,...,Qj.) G can be obtained from the evaluation of all 
Ph,...,ir{^i^ ■ ■ ■ 7^r) at a, by evaluating 2^ monomials a^^ . . . a]T (which re- 
quire 2^ — r — 1 multiplications), performing 2^ squaring, combining these 
factors with 2'' — 1 multiplications, and finally adding the results. 
We can iterate this procedure: at each step the number of polynomials Pij^s 
is multiplied by 2^ and their degrees are divided at least by 2. Therefore, 
after L steps the number of polynomials is 2^^ and their degrees are not 
greater than [^J. Once the 2^ numbers -Pii,...,v(ai, . . . , a^) are known, the 
total number of squaring is 

and the number of products necessary to obtain P{a) is 

(2'- - 1) [2^(^-1) + 2^(^-2) + . . . + 2''(^~^))] = 2''^ - 1 , 
hence the total number of required multiplications is 

nr+l 1 

^(2^^-l). 

2r _ ]^ V ' 

Since the total number of monomials in r variables in a generic polynomial 
of degree [^J is Mr{[^\), then Mj.([^J) — r — 1 is the number of prod- 
ucts necessary to evaluate all independent monomials. Therefore, the total 
number of multiplications for evaluating P{sl) is 

G2(n, r, L) = ^ {^^ - 1) + M,(n) - r - 1 . 

We look for the optimal value Lop giving the minimum G2{n,r, Lop). Since 




then Mr{[^\) is an expression that is ^{-^Y + asymptotically in n. 

The local optima are given by the values of L such the 

G2in,r,L) <G2{n,r,L-l) and G2(n, r, L) < G2(n, r, L + 1) . 

Then, considering the asymptotic expression 

or+l _ 1 1 r) 

G2in,r,L) = ^^r^ + -i^Y , 
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it is immediate to obtain the conditions 

22.L ^^n^ 2^-1 



r! 2^ 2''+! - 1 
1 2'' - 1 



r! 2^+1 - 1 ' 

showing that asymptotically Lop must satisfy the inequalities 

11 2*^-1 log2 n 11 2'" - 1 log2 n 

~2'^Yt^^ r!(2^+i - l)+^~ < < 2 + 2^^^°^^ ^,(2.+! _ 1)+^" • 

Therefore Lop is the closest integer to ^ log2 ^i^^r+i-i) + ^ log2 ^) the 
total number of products asymptotically is included into the interval: 



2^ — 1 r\ ^\ 1 1 op J V Y 2'' — 1 r! 

□ 



5 The case r > 2, > 2 

A polynomial . . . ,Xr) of degree n, in r variables over the field Fp, is 

simply decomposed into a sum of p*" polynomials as 

-P(xi , . . . , Xj.) — ^ ^ X-|^ ... Xj. Pii^,,,^i^ (X]^ , . . . , X^) 

ji,...,ve{o,i,-,p-i} 

^ xi^..x;'-(P,,„„,,(xi,...,x,)f (4) 

il,...,ir.e{0,l,.--,P-l} 

where -Pii,...,i^(xi, . . . , x^) is a polynomial of degree L~~"^~^J ■ Therefore the 
polynomial P(xi,...,Xr) evaluated at the point a = {ai, . . . ,ar) € F^m 
can be obtained from the evaluation of all polynomials -Pii,...,i,. (^ii • • • )^r) 
at a, by evaluating the p*" monomials . . . a*'' (which require p** — r — 1 
multiplications), performing p** computations of p-powers, combining these 
factors with multiplications, and finally adding all results. 
The argument of Theorem [T] and [2] still applies, and the minimum number 
of steps is obtained in the following theorem. 
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Theorem 3. Let Lopt be the number of steps of this method yielding the 
minimum number of products, Gp{n,r,Lop), required to evaluate a polyno- 
mial of degree n in r variables, with coefficients in ¥p. Then Lopt is an 
integer that asymptotically is included into the interval 



1 log„n 1 log„n 
- + B + < Lop< - + B + 

2 2-^-2 2 



where B = ^ log^ '^^^\(2^pr_i'^ , that is, Lop is the integer closest to B + ^"^j" " . 
Asymptotically the minimum Gp{n,r, Lop) is included into the interval: 



^ 'ip-l)K-4^^'^^' < Gpin,r,Lop) < 2^ Mp - X)^^^\n^- 1^ 



^jpr y pr _ I ^] Y p^ — 1 r\ 

Proof. Using equation dH) the polynomial P{xi, . . . ,Xr) evaluated at the 
point a = (Qi,...,Qr) G F^m can be obtained from the evaluation of all 

L'ix,...,ir{^i-, ■ ■ ■ ,Xr) at a, by evaluating p"^ monomials Oi . . . ap' (which re- 
quire p^ — r — 1 multiplications), computing p^' p-powers, combining these 
factors with p^ — 1 multiplications, and finally performing the required ad- 
ditions. 

We can iterate this procedure: at each step the number of polynomials is 
multiplied by p'^ and their degrees are at least divided by p. Therefore, after 
L steps the number of polynomials is p^^ and their degrees are not greater 
than L^J- Once the p^' numbers Pj^_.,,^i^(ai, . . . , a,.) are known, the total 
number of p-powers is 

p^ — 1 

and the number of products necessary to obtain P{a) is 

(p- - + + . . . + pr(L-L))^ = - 1 , 

hence the total number of required multiplications is 

pr -l^^ > 

The total number of multiplications for computing all the monomials of all 
the polynomials arising at step L is Mr([^J) — r — 1, and further {p — 
2)(Mr([^J) — r — 1) products are necessary to provide every possible term 



9 



occurring in the polynomials at step L. As a consequence the total number 
of multiplications necessary to evaluate -P(a) is 

^^(/^ - 1) + (P - 1)(M.(L ) - r - 1) . 

The same passages used in Theorem [2] allow us to conclude that Lop is 
asymptotically identified by the chain of inequalities 




r\{2p'- - 1) - - y r\{2p'- - 1) 

which written in the form 

1 logr,n 1 log„n 

— + B + < Lop< - + B + 

shows that the unique optimal value is the integer closest to i? + ^°^2 " ; 

where B = logp ^r!(2^p^-"i)^ ■ '^^^ minimum number of multiplications is 
asymptotically included into the interval 



^ {p-l)^-—^ rfl^ < Gp{n,r,Lop) < 2^ J {p - l)^^^—--n . 
p' \ p' —\ r\ V p' —\ r\ 

Remark 4. Our proofs start with the evaluations of certain monomials. 
Hence they may be extended verbatim to other finite- dimensional linear sub- 
spaces of ¥p[xi, . . . ,Xr], just taking their dimension a as vector spaces in- 
stead of the integer {"'^^) ■ For a suitable linear space V in Theorem 3 we 
could get a bound of order c^^foi with C3 ~ 2-sj2p'^^^ . For instance, call 
V{r, n) the linear subspace of¥p[xi, . . . ,Xr] formed by all polynomials whose 
degree in each variable is at most n. We have dim(y(n,r)) = (n + l)**. In 
this case iterating this procedure we arrive at each step at a vector space 
V{\n/p^^^,r). Taking L such that 2p'^^ ~ pd\m{y{\n/p^^^,r)), i.e. taking 
L ~ logp n/2 + B with -B ~ ^ logp(p)/2 ~ ^ ~ logp 2, we get an upper 
bound of order 2\j2p'^^'^rt!'l'^ . 



6 Further remarks 



The complexity of polynomial evaluation is crucial in the determination 
of the complexity of several computational algebra methods, such as the 
Buchberger-Moeller algorithm ( O [7] ) , other commutative algebra methods 
(^), the Berlekamp-Massey-Sakata algorithm ([11^ I12j). 
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In turn, these algorithms are the main tools used in algebraic coding 
theory (and in cryptography). This justifies our special interest in the finite 
field case. For example, the previous algorithms can be adapted naturally to 
achieve iterative decoding of algebraic codes and algebraic-geometry codes, 
see e.g. [T31 [3]. Other versions can decode and construct more general 
geometric codes, see e.g. [2]. 
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